Conventional techniques that address application security on mobile devices are often binary—either the mobile device is locked, in which case a user can access a very limited subset of applications, or the mobile device is unlocked, in which case the user has full access to the applications on the mobile device. The subset of applications that are accessible when a mobile device is locked may include just those applications that have been declared to run above the lock screen (e.g., camera, touchless control, lock-screen widgets, and so on). However, mobile-device users may find this approach to be inconvenient in some instances and insufficient in others. Consequently, conventional techniques for application security can be unsatisfactory to mobile-device users.